Building Robust Third-Party Risk Management Strategies in Australia

Third-party risk management is vital for Australian organisations to maintain operational stability, protect against vulnerabilities, and comply with regulatory standards amid growing dependencies on external partners.

Third-party risk management (TPRM) is important in today's interconnected IT / OT environment. As organisations increasingly rely on a complex network of external partners and vendors, the need for robust third-party risk management practices has never been more important. 

The growing complexity and dependency on external entities underscores the importance of safeguarding against potential disruptions and breach scenarios that could impact operations. Effective third-party risk management is therefore essential for maintaining operational stability and protecting against the impact of vulnerabilities introduced through external partners.

What is third-party risk management?

Third-party risk management is the organisational process by which potential risks from external vendors, contractors, and partners are identified, mitigated and / or managed to a level that is acceptable to the business and management.

TPRM challenges in Australia

The challenge of managing third-party risks is particularly important for Australian organisations compared to their counterparts in other regions. This difficulty arises from factors such as Australia’s robust economy, which results in a greater dependence on a wide variety of external partners and service providers, as well as a regulatory environment that may differ from regions like North America, particularly the United States (U.S.), and Europe. In these regions, federal and state-level regulations, along with privacy laws like the Sarbanes-Oxley Act and the General Data Protection Regulation (GDPR), establish detailed compliance requirements for third-party risk management. 

This creates a well-defined framework in the U.S. and Europe, which may be more detailed than what is typically found in Australia. As a result, the responsibility lies with the organisation to effectively manage these risks, not only for compliance but also for upholding trust with clients, stakeholders and business partners.

Key steps to improving your cyber security and third-party risks

Every service provider carries associated risks. Organisations need to determine how critical the third party is based on what type of sensitive data (Personally Identifiable Information (PII), Sensitive Personally Identifiable Information (SPII) or Commercial in Confidence (CiC)) or critical systems these third parties have access to. The criticality assessment helps determine the potential impact on the business if there is a data or security breach with the respective third party.

1. Clear vendor contracts

As a first step, ensure you have clear and comprehensive vendor contracts. These contracts should be based on the security controls expected to be maintained by the management guidelines and responsibilities of each service provider. They must also include details on guard rails around data protection when the third-party provider has access to data and arrangements in case of any security breaches.

2. Periodic third-party security assessments

Another crucial area to focus on is the monitoring and management of third-party activities. It is important to conduct regular third-party security assessments (TPSAs) to ensure that vendors are following agreed-upon standards by evaluating their performance and security practices. If a vendor's security practices change or if they experience an incident, it's essential to assess how these factors might affect the organisation's operations. Effective communication with third parties is vital and should involve a clear communication plan and protocols for reporting security incidents and working together to resolve them. Over time, successful collaboration with third-party teams and ensuring effective governance can encourage these parties to adopt a security-first approach, promoting transparency and openness in the event of any incidents.

3. Use cyber risk mitigation strategies

In addition, by investing in technologies and practices focused on enhancing general security, organisations can reduce vulnerabilities, strengthen access controls, and improve data encryption and regular security patch management. These measures contribute to lowering the risk of vulnerabilities being exploited, preventing broader security incidents, and minimising operational downtime.

4. Develop an incident response plan

Moreover, organisations must be prepared for any incident that may arise and impact operational availability. This implies that the service recipient organisation has designed and rehearsed (table-top exercise) an incident response plan that involves third-party scenarios so that the recipient organisation can be better positioned to respond efficiently in case any security event or data breach occurs.

Compliance management and benefits:

Overall, while practical steps form the basis of robust TPRM, compliance with established standards and guidelines can lay an additional layer of order and confidence in the TPRM. The Critical Infrastructure Act 2018 (SOCI) is a cornerstone of Australia's strategy for safeguarding key sectors of critical infrastructure. A crucial aspect of this act addresses third-party risk management. 

Given that critical infrastructure operators rely on their contracted vendors for various support functions, the SOCI Act emphasises the integration of comprehensive third-party risk management practices with existing security frameworks and operational protocols. Besides the SOCI Act, organisations in Australia are advised to implement the Essential 8. These are baseline cyber security mitigation strategies recommended by the Australian Cyber Security Centre (ACSC). 

They highlight key strategies relevant to third-party risk management including application whitelisting to prevent unauthorised applications from running, patch management for vulnerabilities, and multi-factor authentication to secure access. 

The Australian Prudential Regulation Authority (APRA) has additional standards and requirements for financial institutions in CPS 234 and CPS 230. APRA CPS 234 pertains to information security and requires a financial institution to adopt relevant measures for managing information security risks. Similarly, APRA CPS 230 deals with operational resiliency and views third-party risks in relation to assurance of operational stability.

By integrating proactive strategies, compliance with regulatory standards, and practical risk management practices, organisations can better safeguard their operations, maintain security, and develop resilience in today’s threat landscape.

FOR MORE INFORMATION

If you would like to learn more about the topics discussed in this article, please contact your local RSM office.